InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
There are analysts around the globe who are continually being jolted awake in the middle of the night to respond to ransomware attacks. Because WordPress is the market share leader (39.5% of all websites are powered by WordPress; that number jumps to 64.1% for content management systems), my team of SOC analysts aren’t strangers to responding to WordPress security issues. The one lesson we’ve learned time and time again: Preventative security measures are the most effective steps you can take against ransomware attacks.
Not long ago, independent software developer Tim Perry, creator of the HTTP Toolkit for intercepting and debugging web traffic…
…decided to add proxy support to his product, which, like lots of software these days, is written using Node.js.
ICYMI, Node.js is the project that took the JavaScript language out of your browser and turned it into a full-blown application development system in its own right, a bit like Java (which is unrelated to JavaScript, by the way, for all that the names sound similar).
As well as the JavaScript core, which uses the V8 JavaScript engine from Google’s Chromium project, Node.js sofware typically also relies on NPM, the Node package manager, and the NPM registry, a truly enormous repository of open-source Node tools and programming libraries.
The NPM registry runs from basic text formatting to full-on facial recognition, and almost everything in between.
Instead of writing all, of the code in your project yourself, or even most of it, you simply reference the add-on packages you want to use, and NPM will fetch them for you, along with any additional packages that your chosen package needs…
…and all the packages that those packages need, following the turtles packages all the way down until every piece of add-on code needed to complete the jigsaw has been located and installed automatically.
A researcher at vulnerability and red-team company Rapid7 recently uncovered a pair of risky security bugs in a digital home security product.
The first bug, reported back in May 2021 and dubbed CVE-2021-39276, means that an attacker who knows the email address against which you registered your product can effectively use your email as a password to issue commands to the system, including turning the entire alarm off.
The affected product comes from the company Fortress Security Store, which sells two branded home security setups, the entry-level S03 Wifi Security System, which starts at $130, and the more expensive S6 Titan 3G/4G WiFi Security System, starting at $250.
The intrepid reseacher, Arvind Vishwakarma, acquired an S03 starter system, which includes a control panel, remote control fobs, a door or window sensor, a motion detector, and an indoor siren.
(The company also sells additional fobs and sensors, outdoor sirens, which are presumably louder, and “pet-immune” motion detectors, which we assume are less sensitive than the regular ones.)
Unfortunately, it didn’t take much for Vishwakarma to compromise the system, and figure out how to control it without authorisation, both locally and remotely.
Pwned! The home security system
Life Hacks: DIY Home Camera Security System: Protect Your Property for FREE
Liquid-fuelled rocket engine design has largely followed a simple template since the development of the German V-2 rocket in the middle of World War 2. Propellant and oxidizer are mixed in a combustion chamber, creating a mixture of hot gases at high pressure that very much wish to leave out the back of the rocket, generating thrust.
Humans love combusting fuels in order to do useful work. Thus far in our history, whether we look at steam engines, gasoline engines, or even rocket engines, all these technologies have had one thing in common: they all rely on fuel that burns in a deflagration. It’s the easily controlled manner of slow combustion that we’re all familiar with since we started sitting around campfires.
Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.
The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.
In about half the cases the credentials are being checked via “IMAP,” which is an email standard used by email software clients like Mozilla’s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds “OK” = successful access).
You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.
And they seem particularly focused on stealing gift card data.
“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”
Security flaws in commercial Bluetooth stacks dubbed BrakTooth can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.
A set of 16 security flaws in commercial Bluetooth stacks, collectively tracked as BrakTooth, can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.
The issues were discovered by the ASSET (Automated Systems SEcuriTy) Research Group from the Singapore University of Technology and Design (SUTD), their name comes from the Norwegian word “Brak” which translates to ‘crash’.
The BrakTooth flaws impact 13 Bluetooth chipsets from 11 vendors, including Intel, Qualcomm, and Texas Instruments, experts estimated that more than 1,400 commercial products may be impacted.
As of today, the researchers discovered 16 security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.
“we disclose BrakTooth, a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs.” reads the post published by the researchers. “All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. Moreover, four of the BrakTooth vulnerabilities have received bug bounty from Espressif System and Xiaomi. “
The attack scenario tested by the experts only requires a cheap ESP32 development kit (ESP-WROVER-KIT) with a custom (non-compliant) LMP firmware and a PC to run the PoC tool they developed. The tool communicates with the ESP32 board via serial port (/dev/ttyUSB1) and launches the attacks targeting the BDAddress (<target bdaddr>) using the specific exploit (<exploit_name>).
The ASSET group has released the PoC tool to allow vendors to test their devices against the vulnerabilities
Guide to Bluetooth Security: Recommendations of the National Institute of Standards and Technology (Special Publication 800-121 Revision 1)
IT’S A SHOCKING revelation: The Bahraini government allegedly purchased and deployed sophisticated malware against human rights activists, including spyware that required no interaction from the victim—no clicked links, no permissions granted—to take hold on their iPhones. But as disturbing as this week’s report from the University of Toronto’s Citizen Lab may be, it’s also increasingly familiar.
These “zero-click” attacks can happen on any platform, but a string of high-profile hacks show that attackers have homed in on weaknesses in Apple’s iMessage service to execute them. Security researchers say the company’s efforts to resolve the issue haven’t been working—and that there are other steps the company could take to protect its most at-risk users.
Interactionless attacks against current versions of iOS are still extremely rare, and almost exclusively used against a small population of high-profile targets around the world. In other words, the average iPhone owner is very unlikely to encounter them. But the Bahrain incident shows that Apple’s efforts to defuse iMessage risks for its most vulnerable users have not fully succeeded. The question now is how far the company is willing to go to make its messaging platform less of a liability.
“It’s frustrating to think that there is still this un-deletable app on iOS that can accept data and messages from anyone,” says longtime macOS and iOS security researcher Patrick Wardle. “If somebody has a zero-click iMessage exploit, they can just send it from anywhere in the world at any time and hit you.”
The Stealthy iPhone Hacks That Apple Still Can’t Stop
After another “zero-click” attack, security experts say it’s time for more extreme measures to keep iMessage users safe.
The U.S. Department of Justice (DoJ) announced the creation of a cybersecurity fellowship program that will train prosecutors and attorneys to handle emerging national cybersecurity threats.
Fellows in the three-year Cyber Fellowship program will investigate and prosecute state-sponsored cybersecurity threats, transnational criminal groups, infrastructure and ransomware attacks and the use of cryptocurrency and money laundering to finance and profit from cybercrimes.
Cyber Fellowship Program
The program will train selected attorneys to deal with emerging cybercriminal threats and the ability to secure a top-secret security clearance is a prerequisite. All participants will be based in the Washington, D.C. area.
As part of the fellowship, participants will rotate through the multiple departments charged with protecting the country from cybersecurity threats, including the Criminal Division, the National Security Division and the U.S. Attorneys’ Offices.
The program is coordinated through the Criminal Division’s Computer Crime and Intellectual Property Section and the creation of the Fellowship is the result of a recommendation from the department’s ongoing comprehensive cybersecurity review, which was ordered by Deputy Attorney General Lisa Monaco in May 2021.
The pandemic, as well as users’ personal preferences, have helped enable the rapid emergence of digital payment applications and digital wallets, which compete with credit cards and cash as preferred payment options.
The growing popularity of digital wallets such as Google Pay, Samsung Pay and Apple Pay is making them a bigger target for malicious actors, according to a report from security analytics software specialist Cognyte.
The study, which collected and analyzed threat actors’ conversations about digital wallets from 2016 through 2020, found the number of threat actors’ interactions around the topic almost doubled from 2017 to 2018.
By 2019, this number grew by 456%, reaching 31,878 interactions and by 2020 it grew by another 292%, reaching 96,363 interactions.
Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely won’t — which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.
Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.
While the agencies said they haven’t discovered “any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,” they are working on the idea that it’s better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.
Indeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.
“Modern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,” noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.
Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times “will be impacted,” he said.
That’s mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.
“This additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,” he said in an email to Threatpost.
You must have had that happy feeling (happiest of all when it’s still a day or two to payday and you know that your balance is paper-thin) when you’re withdrawing money from a cash machine and, even though you’re still nervously watching the ATM screen telling you that your request is being processed, you hear the motors in the cash dispensing machinery start to spin up.
That means, even before any banknotes get counted out or the display tells you the final verdict, that [a] you’ve got enough funds, [b] the transaction has been approved, [c] the machine is working properly, and [d] you’re about to get the money.
Well, imagine that if you hit the [Cancel] button at exactly the right moment between the mechanism firing up and the money being counted out…
…and if your timing was spot on, then your card would stay in the machine, your account wouldn’t get debited, and you’d be asked if you wanted to try again, BUT YOU’D GET THE CASH FROM THE CANCELLED TRANSACTION ANYWAY!?!!?
And imagine that, as long as you kept pressing that magic button at just the right moment, you could loop back on yourself and layer ghost withdrawal on ghost withdrawal…
…until the machine finally ran out of money, or hit some internal software limit on recursive withdrawals, or you decided to quit while you were ahead and get clear of the ATM before an alarm went off.
Blockchain Bubble or Revolution: The Future of Bitcoin, Blockchains, and Cryptocurrencies
Windows 11 won’t auto-update on slightly old PCs. It appears this includes security updates—although Microsoft PR is doing its usual trick of ghosting reporters who ask.
This sounds like a terrible idea: A fleet of unpatched Windows 11 PCs connected to the internet? That’s a recipe for disaster.
Stand by for Redmond to walk this one back in an embarrassing climbdown. In today’s SB Blogwatch, we hope against hope.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Olivia vs. Paramore.
Why leave us in the dark?” Windows 11 won’t technically leave millions of PCs behind … so long as you download and manually install an ISO file. … But it turns out even that technicality has a technicality: Microsoft is now threatening to withhold Windows Updates … potentially even security updates. … It’s quite possible this is just a cover-your-ass measure. … But it’s also possible Microsoft genuinely does mean to withhold patches. … Microsoft declined to clarify things further. … Windows 11 could theoretically be an operating system where you go back to the days of manually downloading [security] updates. … Feature updates are probably less of a big deal. [But] why leave us in the dark?
When it comes to online behaviors, women are far safer than men, according to a wide-ranging survey from SecurityAdvisor.
Despite the fact that women made up 42% of the sample data, they account for 48% of the top safe users and only 26% of risky users. Men, on the other hand, account for 74% of risky users: A big driver of these risky behaviors stems from men’s and women’s online behaviors.
According to SecurityAdvisor’s data, men are more likely to visit dangerous adult websites, use P2P software and watch pirated content than women.
SecurityAdvisor analyzed more than 500,000 malicious emails and an additional 500,000+ dangerous website visits by enterprise employees in more than twenty countries. Employees range from entry-level to executives and operate across many industries, including health care, financial services, communications, professional services, energy and utilities, retail and hospitality.
“Our partner here, Kelley McElhaney from Berkeley University, noted that women are more aware of long-term ramifications of risky behaviors,” SecurityAdvisor CEO Sai Venkataraman said. “Also, society tends to tolerate failures by dominant groups better, hence men don’t fear the consequences or fear consequences less.”
He also pointed out that men, from an early age, are socialized to take risks and win, hence they are less afraid of a potential negative outcome and engage in riskier behaviors.
What do AWS Partners with Level 1 Managed Security Service (MSSP) Competency provide?
All AWS Level 1 MSSP Competency Partners provide at minimum the ten 24/7 security monitoring, protection, and remediation services as defined in the Level 1 Managed Security Services baseline. Those ten 24/7 services specifically are below.
Many of the Level 1 MSSP Competency Partners also provide additional security assessment and implementation professional services as well to assist customers in their AWS cloud journey.
AWS Infrastructure Vulnerability Scanning – Routine scanning of AWS infrastructure for known software vulnerabilities.
AWS Resource Inventory Visibility – Continuous scanning and reporting of all AWS resources and their configuration details, updated automatically with newly added or removed resources.
AWS Security Best Practices Monitoring – Track and detect misconfigurations of AWS resources to improve cloud security posture and reduce business risk.
AWS Compliance Monitoring – Scanning AWS environment for compliance standards such as: CIS AWS Foundations, PCI DSS, HIPAA, HITRUST, ISO 27001, MITRE ATT&CK, and SOC2.
Monitor, Triage Security Events – Gain visibility into security alerts with a consolidated list of security events and recommended remediation guidance.
24/7 Incident Alerting and Response – Receive notification of high priority security events and expert guidance on recommended remediation steps 24/7.
DDoS Mitigation – Increase visibility and resilience to DDoS attacks and reduce the risk of availability, financial, and security impacts to applications.
Managed Intrusion Prevention System (IPS) – Add a layer of security for AWS-based endpoints, helping with defense against known threat patterns, to increase overall security posture.
Managed Detection and Response (MDR) for AWS-Based Endpoints – A combination of technology and cloud security experts working to continuously detect, investigate, and remove threats from within AWS-based endpoints.
Managed Web Application Firewall (WAF) – A firewall managed service designed to protect web-facing applications and APIs against common exploits.
OpenSSL, as its name suggests, is mainly used by network software that uses the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.
Although TLS has now replaced SSL, removing a huge number of cryptographic flaws along the way, many of the popular open source programming libraries that support it, such as OpenSSL, LibreSSL and BoringSSL, have kept old-school product names for the sake of familiarity.
Despite having TLS support as its primary aim, OpenSSL also lets you access the lower-level functions on which TLS itself depends, so you can use the libcrypto part of OpenSSL to do standalone encryption, compute file hashes, verify digital signatures and even do arithmetic with numbers that are thousands of digits long.
The solution is, instead, to focus on building applications that are secure by design, with zero-trust security baked-in rather than bolted-on. This is one of the three key strategic criteria we see for forward-looking enterprises that are accelerating the security of their applications.
Make applications secure by design – zero-trust is now the recommended security model.
Embrace tools that enable agility and efficiency and eliminate complexity.
Embrace open source for future-proofing, maximum visibility and to avoid proprietary lock-in.
Integrating security and the WAN is the next wave in network architecture. That means embedding zero-trust and access management capabilities in applications.
Zero-trust, to continue with the sporting event analogy, requires ticket checks before fans reach the stadium; it determines if they are authentic fans and therefore whether they can enter, where they can go once they’re inside the venue and which events they can watch. Zero-trust uses context as well as identity to authenticate users, and it enables policies that permit access only within a certain time window, a particular network segment or to a specific application. It removes the element of implicit trust that is so easily exploited, whether deliberately by bad actors or accidentally by careless users.
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a ‘Plan Do Check Act’ process.
ISO 27001 is the international security standard that details the requirements of an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.
The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.
The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.
Samsung says that it can disable any of its Samsung TV sets remotely using TV Block, a feature built into all television products sold worldwide.
This was revealed by the South Korean multinational in a press release issued earlier this month in response to the July South African riots that led to large-scale looting, which also impacted Samsung warehouses and stores.
“TV Block is a remote, security solution that detects if Samsung TV units have been unduly activated, and ensures that the television sets can only be used by the rightful owners with a valid proof of purchase,” Samsung said.
“The aim of the technology is to mitigate against the creation of secondary markets linked to the sale of illegal goods, both in South Africa and beyond its borders. This technology is already pre-loaded on all Samsung TV products.”
As Samsung explains, the goal behind remotely disabling stolen TV sets is to limit looting and “third party purchases,” and ensuring that the TVs can only be used by “rightful owners with a valid proof of purchase.”
It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.
![Life Hacks: DIY Home Camera Security System: Protect Your Property for FREE by [Tam S.]](https://m.media-amazon.com/images/I/51jUIZj0h0L.jpg)
![CYBER SECURITY FOR TOP EXECUTIVES: Everything you need to know about Cybersecurity by [Alejandra Garcia]](https://m.media-amazon.com/images/I/51UZgLnDdYS.jpg)
